Plugin wallet security incidents overview: plagued by counterfeit software and phishing attacks, with few direct official vulnerabilities.

On December 26, this morning, the user base largest non-custodial crypto wallet Trust Wallet officially issued a security alert, confirming that version 2.68 of the browser plugin has a security vulnerability. On-chain detective ZachXBT revealed that hundreds of Trust Wallet users’ funds have been stolen, with losses totaling at least $6 million. Trust Wallet has been downloaded over 200 million times, with approximately 17 million monthly active users, accounting for about 35% of the market share. This security incident has a widespread impact.

A review of security incidents involving major browser plugins is as follows: Trust Wallet’s browser plugin was also found to have a WebAssembly vulnerability in November 2022, affecting only new wallet addresses created between November 14 and 23, 2022. Approximately $170,000 was stolen due to this issue. Trust Wallet discovered the problem through its bug bounty program, fixed the vulnerability, and fully compensated affected users.

MetaMask experienced a “Demonic” vulnerability in 2022, affecting versions prior to 10.11.3, where private keys could be exposed in browser memory, though no large-scale fund losses are known. From 2023 to 2025, MetaMask’s official wallet plugin operated securely, but it was frequently affected by counterfeit extensions. Chainalysis reports show a surge in abnormal theft incidents among MetaMask users in 2025, mainly caused by malicious software and phishing rather than the security of the plugin wallet itself. MetaMask publishes monthly security reports, but as a popular Ethereum plugin wallet, it remains a primary target for counterfeits.

Phantom (a main wallet plugin for Solana) was also affected by the “Demonic” vulnerability in 2022, with no known large-scale fund losses. In early 2025, a security controversy involving the Phantom wallet plugin arose, with a user losing $500,000 due to private keys being stored unencrypted in memory, leading to a hacker attack. A class-action lawsuit was filed in the Southern District Court of New York. Phantom’s official statement strongly denied all allegations, claiming the lawsuit is “baseless” and emphasizing that Phantom is a non-custodial wallet, with fund security responsibilities resting on the user.

Rabby Wallet (a DeFi-friendly plugin) was hacked in 2022 due to a Rabby Swap vulnerability, resulting in the theft of approximately $200,000 in crypto assets. The vulnerability was not from the plugin itself but from the built-in Swap feature. The most common method of theft involving browser plugin wallets is fake app downloads. In 2025, multiple such incidents occurred in the Firefox Store, affecting major crypto plugins like MetaMask, Phantom, and Trust Wallet.

In contrast, direct official plugin vulnerabilities are relatively rare. Users are advised to only download from the official Chrome Web Store to ensure fund security.